General

  • Target

    b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe

  • Size

    1.9MB

  • Sample

    240924-wypwja1dme

  • MD5

    aefc9db6299b266732b17284fd21e570

  • SHA1

    59ac233b4c821859aaef31b380d73f03ac4c72b7

  • SHA256

    b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1

  • SHA512

    041ddd2dab23cac6dbd962ff2855b951b84168caa1b9b7a999faf6dc185f3428d644392b909288164eb1edc1561c3a1e740b59df6f180327da7a922cfe1bf753

  • SSDEEP

    24576:TUd4s3AGKyIRdemONgNyu5dVLaqSPWEmcBfBuI:TJslIT95dUjPWKBl

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7480318146:AAHneAEj7T3jx1iB2ghJbCQTHlT0BWac8Tg/sendMessage?chat_id=968705978

Targets

    • Target

      b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1N.exe

    • Size

      1.9MB

    • MD5

      aefc9db6299b266732b17284fd21e570

    • SHA1

      59ac233b4c821859aaef31b380d73f03ac4c72b7

    • SHA256

      b810da008d810f42c6347c8f3cba222f2a9f58f2d21ef336a03f041d53b9a5a1

    • SHA512

      041ddd2dab23cac6dbd962ff2855b951b84168caa1b9b7a999faf6dc185f3428d644392b909288164eb1edc1561c3a1e740b59df6f180327da7a922cfe1bf753

    • SSDEEP

      24576:TUd4s3AGKyIRdemONgNyu5dVLaqSPWEmcBfBuI:TJslIT95dUjPWKBl

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks